[VIM] CVE-2006-4030 - Gallery Stats Module
security curmudgeon
jericho at attrition.org
Thu Oct 5 04:57:27 EDT 2006
Finally! This CVE has been locked for ages now, taunting me on the OSVDB
backend.. waiting to find out what it cross references to =)
CVE-2006-4030
Unspecified vulnerability in the stats module in Gallery 1.5.1-RC2 and
earlier allows remote attackers to obtain sensitive information via
unspecified attack vectors, related to "two file exposure bugs."
Based on "Gallery" + "Stats Module" + "1.5.1-RC2", this should track to
OSVDB 19159:
19159: The Gallery Stats Module Unspecified File Disclosure
2005-09-01
http://gallery.sourceforge.net/
http://cvs.sourceforge.net/viewcvs.py/gallery/gallery/ChangeLog?rev=HEAD&content-type=text/vnd.viewcvs-markup
Changelog:
2005-08-24 Jay Rossiter <cryptographite at users.sf.net> 1.5.1-RC3-cvs-b13
* Fix: Prevent file exposure bug in stats module (thanks to ilia)
--
Now, CVE-2006-4030 says "two file exposure bugs" and the changelog says
"file exposure bug" (singular). Looking at the debian bug report we see:
Date: Sat, 27 Aug 2005 17:21:56 +0000
Changes:
gallery (1.5-2) unstable; urgency=high
* SECURITY:
+ Fix two file exposure bugs in stats module.
So.. i'd hazard a guess that the Gallery developers/author noticed one
file exposure bug back on 2005-08-24 and fixed it, but a closer inspection
a few days later found a second?
Also, CVE-2006-4030 tracks to Secunia 16594 which mentions a single file
disclosure vuln.
So, for OSVDB, i'm keeping our 19159 entry to track to the first of the
two issues, dated 2005-08-24 (changelog), and creating a new one (29350)
that will cross with CVE-2006-4030 dated 2005-08-27 (other
changelog/debian bug comment).
More information about the VIM
mailing list